Mandiant is “highly confident” that foreign cyberspies will target US election infrastructure, organizations, and individuals in the run-up to the November midterm elections.
Based on recent activity by various threat groups, as well as previous election targeting, the security firm expects nation-state backed gangs in Russia, China, and Iran will attempt to pull off cyberespionage against US government and election-related outfits.
“We have tracked activity from groups associated with Russia, China, Iran, North Korea, and other nations targeting organizations and individuals related to elections in the US and/or other nations with apparent goals ranging from information collection and establishing footholds or stealing data for later activity to one known case of a destructive attack against critical election infrastructure,” the Mandiant team said in research published today.
Mandiant’s threat hunters also say with “moderate confidence” that distributed denial-of-service (DDoS), ransomware, or other disruptive and/or destructive attacks will impact elections.
Additionally, as we’ve seen in previous elections, Russia, Iran and China will likely use information operations to “intimidate or influence” US voters, they noted. This is usually to put citizens off voting or turn them against each other, leading to unrest.
Hijacking voting machines … unlikely?
However, amid the likely cyberespionage, misinformation campaigns, and possible ransomware infections, there is a silver lining when it comes to the mechanics of voting itself.
“We believe notable compromises of actual voting devices or other activity impacting the integrity of votes is unlikely,” the researchers report. But that doesn’t mean that some miscreants aren’t trying.
While actual criminals aren’t likely to publicize their illicit actions in advance, one security researcher recently bought a Dominion ImageCast X voting machine on eBay before Michigan officials even knew it was missing.
Harri Hursti, an election security expert who works for state officials testing voting machines for bugs, paid $1,200 for the machine and then emailed Michigan’s Secretary of State office about the deal.
The machine — and how it illegally ended up for sale on eBay — is now the subject of an investigation.
Voting machine hacks aside, Mandiant – which Google is trying to buy for more than $5 billion – suggested who is likely to interfere with or disrupt US elections. As indicated above, Russia, Iran, and China are top of the list.
How to spot fake news
In terms of election misinformation, Russia’s Internet Research Agency (IRA) will likely promote right-wing narratives related to the 2022 midterms as they did in the lead-up to the 2016 and 2020 presidential elections.
Mandiant’s threat intel team has observed two phony accounts, posting on Twitter and other sites, claiming to be editors at a Kremlin-linked pseudo news organization called Newsroom for American and European Based Citizens (NAEBC). Their favored topics include the midterm elections, the US economy, and energy prices, as well as Russia’s invasion of Ukraine.
Additionally, Beijing-backed Dragonbridge, which operates 72 fake-news websites and social media accounts pushing pro-China propaganda and criticizing America and its allies, has already pivoted to election-related topics.
“Utilizing a tactic first observed during Dragonbridge messaging targeting Western rare earths mining companies, some accounts posted comments using first-person pronouns to feign concern, implying that they were American,” the threat researchers noted.
Mandiant also observed a pro-Iran Distinguished Impersonator influence campaign during the 2018 midterms, and expects to see similar activity in this election cycle. In this case, the operation used fake accounts impersonating US political candidates to push false narratives.
The campaign also managed to get letters, blogs, and guest columns published in legit US news outlets, and created fake journalist personas to interview real people expressing views that lined up with Iranian interests.
Election cyberespionage
The four nation-state sponsored gangs most likely to target the 2022 midterm elections include China’s APT41 and APT31, Russia’s APT29, and the newly named APT42, which Mandiant earlier this week linked to Iran’s Islamic Revolutionary Guard Corps, a terrorist group that plotted to murder US citizens including former national security advisor John Bolton.
APT41, also known as Barium, Wicked Panda and Wicked Spider, has ties to the Chinese Ministry of State Security, while APT31 (aka Judgment Panda and Zirconium) has also been linked to the Chinese government by security researchers.
And APT29, which Microsoft tracks as Nobelium and everyone else calls Cozy Bear, has been attributed to Russia’s Foreign Intelligence Service. It’s probably best known for compromising the Democratic National Committee before the 2016 election and the infamous SolarWinds supply chain attack.
Additionally, Mandiant labeled a handful of other threat-groups from these three nations as “activity possible” around the elections.
“However, this list should not be viewed as comprehensive; it is possible that additional known actors or previously unobserved groups will also engage in relevant cyber threat activity,” according to the research. ®